Senate Bill 11: The Texas Extended Arm of HIPAA
By Larry Dunham, RHIA, Director, Health Information Management at Baylor University Medical Center in Dallas

Confidential health and medical data are now collected, analyzed, distributed and accessed in large quantities. Health care providers can access records to diagnose, treat, obtain payment for services, and monitor treatment from other health care providers. Clinical researchers use medical records to gather valuable data on the course of a disease and track response to a treatment. Insurers refer to medical records to determine coverage, make payments on claims, conduct utilization reviews, and for underwriting purposes in an attempt to manage rising health care costs. An employer may use employee health care data to track worker compensation claims and overall health care costs incurred by employees.

The Senate Health Committee was charged with reviewing the type, amount, availability, and use of patient-specific medical information, including prescription data, and current statutory and regulatory provisions governing its availability. This bill explores whether statutory and regulatory provisions are consistent and adequately enforced. Senate Bill 11 amends the Health and Safety Code to require certain persons who collect protected health information to comply with the federal Health Insurance Portability and Accountability Act standards (HIPAA) relating to an individual's access to protected health information, amendment of protected health information, uses and disclosures of protected health information, and notice of privacy practices.

The bill authorizes a covered entity or health care entity to:
o disclose protected health information to a person performing health research for the purpose of conducting health research only if the person performing health research has obtained individual consent or authorization for use of the information or a waiver granted by an institutional review board or privacy board;
o sets forth provisions relating to the composition and conduct of a privacy board;
o authorizes a covered entity or health care entity to disclose protected health information to a person performing health research if the covered entity or health care entity obtains from the person performing the health research certain representations as to the use and necessity of the information;
o authorizes a person who is the subject of protected health information collected or created in the course of a clinical research trial to access the information at the conclusion of the research trial;
o authorizes a covered entity to use or disclose protected health information without the express written authorization of the individual for public health activities or to comply with the requirements of any federal or state health benefit program or any federal or state law;
o authorizes a covered entity to disclose protected health information to certain public health authorities or state agencies.

The bill prohibits a person from re-identifying or attempting to re-identify an individual who is the subject of any protected health information without obtaining the individual's consent or authorization if required by state or federal law. The bill also prohibits a covered entity from disclosing, using, selling, or coercing an individual to consent to the disclosure, use, or sale of protected health information for marketing purposes without the consent or authorization of the individual who is the subject of the information.

The bill sets forth requirements and clarifications for:
o written marketing communication;
o provisions relating to civil penalties, disciplinary action, exclusion from state programs, and other remedies for a violation of these provisions;
o state agency that licenses or regulates a covered entity to adopt rules as necessary to carry out the purposes of these provisions;
o requires a covered entity to comply with the provisions no later than September 1, 2003.

Except for provisions relating to marketing uses of information, the bill provides that the provisions relating to medical records privacy are also extended to parties not currently addressed by HIPAA such as the holder of an insurance license, an entity established under the Texas Workers' Compensation Insurance Fund, or a covered entity as defined in this bill with respect to the activities of a financial institution. The provisions do not prohibit the American Red Cross from accessing any information necessary to perform its disaster duties or emergency leave verification for military personnel like in the case of the World Trade Center tragedy in order to prepare soldiers for war or for accessing information to identify victims in the disaster.

Senate Bill 11 amends the Insurance Code to provide that a insurance carriers or agents must obtain an authorization to disclose any nonpublic personal health information before making such a disclosure. The bill also addresses provisions relating to the requirements for a written or electronic request for authorization. The bill provides that the right of the patient or their representative to revoke an authorization at any time but does not including any release carried out prior to receiving the notice of revocation. The bill authorizes a request for authorization to be delivered to a patient or their representative in a clear and easily understandable format. The bill does authorize an insurance company/agent to disclose nonpublic personal health information to the extent that the disclosure is necessary to perform certain specified insurance functions on behalf of the regular business. The bill authorizes the commissioner of insurance to adopt rules to implement provisions related to privacy of health information. The bill also allows the commissioner to delay the date for compliance if the commissioner determines that an entity needs more time to establish policies and systems.
Provisions amending the Health and Safety Code relating to medical records privacy take effect September 1, 2001. Provisions amending the Insurance Code relating to privacy of health information take effect January 1, 2002.

Back to Previous Page